1. Field of the Invention
This invention relates generally to the field of data processing systems. More particularly, the invention relates to a system and method for non-intrusive, privacy-preserving authentication.
2. Description of Related Art
FIG. 1 illustrates an exemplary client 120 with a biometric device 100. When operated normally, a biometric sensor 102 reads raw biometric data from the user (e.g., capture the user's fingerprint, record the user's voice, snap a photo of the user, etc) and a feature extraction module 103 extracts specified characteristics of the raw biometric data (e.g., focusing on certain regions of the fingerprint, certain facial features, etc). A matcher module 104 compares the extracted features 133 with biometric reference data 110 stored in a secure storage on the client 120 and generates a score based on the similarity between the extracted features and the biometric reference data 110. The biometric reference data 110 is typically the result of an enrollment process in which the user enrolls a fingerprint, voice sample, image or other biometric data with the device 100. An application 105 may then use the score to determine whether the authentication was successful (e.g., if the score is above a certain specified threshold).
Systems have also been designed for providing secure user authentication over a network using biometric sensors. In such systems, the score 135 generated by the application 105, and/or other authentication data, may be sent over a network to authenticate the user with a remote server. For example, Patent Application No. 2011/0082801 (“801 Application”) describes a framework for user registration and authentication on a network which provides strong authentication (e.g., protection against identity theft and phishing), secure transactions (e.g., protection against “malware in the browser” and “man in the middle” attacks for transactions), and enrollment/management of client authentication tokens (e.g., fingerprint readers, facial recognition devices, smartcards, trusted platform modules, etc).
Authenticators such as those described above require some form of user interaction such as swiping the finger, or entering a secret code. These “normal” authenticators are intended to authenticate the user at a given point in time. In addition, “silent” authenticators may also be used which are designed to authenticate the user's device at a given point in time (rather than the user). These silent authenticators may rely on information extracted from the user's device without interaction by the user (e.g., sending a Machine-ID).
However, there are certain use cases where requiring explicit user interaction presents too much friction (e.g., near field communication (NFC) payments, frequently used apps requiring authentication without being tied to high value transactions), whereas a “silent” authentication technique such as sending a Machine-ID does not provide enough certainty that the legitimate user is still in possession of the device.
Several “continuous” authentication methods have been proposed by the research community such as Anthony J. Nicholson, “Mobile Device Security Using Transient Authentication,” IEEE TRANSACTIONS ON MOBILE COMPUTING VOL. 5, NO. 11, pp. 1489-1502 (November 2006), currently at http://www.di.ubi.pthmario/paginas/g2.pdf; Mohammad O. Derawi, “Unobtrusive User-Authentication on Mobile Phones using Biometric Gait Recognition” (2010) currently at http://www.hig.no/content/download/29796/358676/version/1/file/iih-msp.pdf; and Koichiro Niinuma, Anil K. Jain, “Continuous User Authentication Using Temporal Information” (currently at http://www.cse.msu.edu/biometrics/Publications/Face/NiinumaJain_ContinuousAuth_SPIE10.pdf). Some of these methods have even been adopted by the industry such as BehavioSec, “Measuring FAR/FRR/EER in Continuous Authentication,” Stockholm, Sweden (2009). These methods generally provide an assurance level that the legitimate user is still in possession a device without adding friction to the authentication process, but they focus on a single modality (i.e. using a wearable token, gait recognition, face and color of clothing recognition and user's keyboard input).
One problem which exists, however, is that directly providing location data or other personal (e.g. face image, color of clothing, gait or typing characteristics, . . . ) or environmental data (e.g. temperature, humidity, WLAN SSIDs, . . . ) to the relying party for supplementing the risk estimation violates the user's privacy in some regions of the world. Consequently, more advanced remote authentication techniques are needed which are both non-intrusive and adequately protect the end user's privacy.